[Snort-users] (http_inspect) UNKNOWN METHOD error on squid

Al Lewis (allewi) allewi at ...589...
Wed Mar 4 06:21:35 EST 2015


Hello,

Can you provide a pcap of the traffic that is causing the alerts?

What this alert is telling you is that one of the http_methods used in the packet is either not in your preprocessor config or malformed/invalid.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Terry John [mailto:Terry.John at ...16850...]
Sent: Wednesday, March 04, 2015 5:52 AM
To: snort-users
Subject: [Snort-users] (http_inspect) UNKNOWN METHOD error on squid

I am trying to work out how to stop of thousands of false positives caused by access to squid proxy on port 3128. Here is a typical error.

[119:31:1] (http_inspect) UNKNOWN METHOD [**]
[Classification: Unknown Traffic] [Priority: 3] <date>-<time> <src_ip>:35360 -> <squid_server_ip>:3128
TCP TTL:128 TOS:0x0 ID:87051 IpLen:20 DgmLen:775 DF
***A**** Seq: 0x126F0768 Ack: 0x859E62D4 Win: 0x4980 TcpLen: 32

Here is what I think  is the relevant section of the pre-processor declaration

preprocessor http_inspect_server: server default \
    http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
    allow_proxy_use \
    ports { 36 80 81 82 83 84 85 86 87 88 89 90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000 7001 7071 7144 7145 7510 7770 7777 7779 8000 8008 8014 8028 8080 8081 8082 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8509 8800 8888 8899 9000 9060 9080 9090 9091 9111 9443 9999 10000 11371 12601 15489 29991 33300 34412 34443 34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 } \

I have a local rule to reduce the number of errors but I would rather not have to do that

# This is to reduce the number of 'unknown method' http alerts
event_filter gen_id 119, sig_id 31, type limit, track by_src, count 1, seconds 10

I feel that squid proxy is so common that there should be a standard setting for this but at the moment I just can't find it.

If I delete port 3128 from the list of ports then the rule is not applied but I don't think that is what we want.

Thanks



The Manheim group of companies within the UK comprises: Manheim Europe Limited (registered number: 03183918), Manheim Auctions Limited (registered number: 00448761), Manheim Retail Services Limited (registered number: 02838588), Motors.co.uk Limited (registered number: 05975777), Real Time Communications Limited (registered number: 04277845) and Complete Automotive Solutions Limited (registered number: 05302535). Each of these companies is registered in England and Wales with the registered office address of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The Manheim group of companies operates under various brand/trading names including Manheim Inspection Services, Manheim Auctions, Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.

V:0CF72C13B2AC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150304/f87edf96/attachment.html>


More information about the Snort-users mailing list